CIVI-SA-2019-05: XSS in "New Pledge" form

Submitted by dev-team on February 20, 2019 - 09:00
Security Risk: 
Less Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM Versions 5.10.2 and earlier

Fixed Versions: 

CiviCRM Version 5.10.3 and 5.7.4

Publication Date: 
Wednesday, February 20, 2019
Description: 

The "Currency" element of a new pledge was not properly validated, which could potentially lead to a cross-site scripting attack.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Patrick Figel of Greenpeace for reporting and fixing the issue

References: 

security/core#16

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Make your next CiviCRM implementation a Success.
Find an Expert

© 2005 - 2019, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.